The Fragus Exploit Kit

Recently, Purewire’s Malicious Javascript Detection (MJD) engine identified malicious URLs backed by what was found to be Fragus, a new exploit kit that appeared in late July 2009. An example of a Fragus URL and a screenshot of its admin control panel login page are shown directly below.

hxxp://blt.kz/1/show.php?s=5015ba5606

Fragus Admin Control Panel Login

As with most modern exploit kits, Fragus serves not one, but a grab bag of exploits that attack the browser, ActiveX controls, and third party plugins. Deobfuscating the javascript served off of the above URL revealed the following function names (bodies omitted), which each attempt to exploit one or more different vulnerabilities:

The above set of exploits motivates mention of two observations about the continuing evolution of the web threat landscape. First, given that Fragus targets vulnerabilities in at least seven different software components, viewing a given vulnerability as being more or less exploited than another is increasingly incompatible with the way in which it is used. Modern exploit kits will target any and all vulnerabilities that have a reasonable chance of successfully compromising a system, and unfortunately, the presence of just one vulnerable, out-of-date software component is required for that compromise to occur. Second, as one of the above vulnerabilities (MS09-043) is less than a month old, the length of time between the discovery of a vulnerability and its widespread use by criminals is shrinking. The creators of malware infrastructure are now rapidly integrating recently-discovered vulnerabilities into do-it-yourself exploit kits, and security companies must be increasingly quick to respond.